#ParsedReport
20-10-2022
Infostealer Distributed Using Bundled Installer
https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer
Threats:
Beacon
Industry:
Financial
Geo:
Singapore, Georgia, Dubai, Australia, India
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 5
IP: 2
Coin: 2
Registry: 1
Url: 1
Hash: 15
Softs:
telegram, photoshop, topaz clean, bitappwallet, binancechain, bravewallet, equalwallet, iwallet, mathwallet, niftywallet, have more...
Algorithms:
zip
20-10-2022
Infostealer Distributed Using Bundled Installer
https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer
Threats:
Beacon
Industry:
Financial
Geo:
Singapore, Georgia, Dubai, Australia, India
TTPs:
Tactics: 5
Technics: 10
IOCs:
File: 5
IP: 2
Coin: 2
Registry: 1
Url: 1
Hash: 15
Softs:
telegram, photoshop, topaz clean, bitappwallet, binancechain, bravewallet, equalwallet, iwallet, mathwallet, niftywallet, have more...
Algorithms:
zip
Cyble
Infostealer Distributed Using Bundled Installer
Cyble Research and Intelligence Labs identifies a new Temp stealer and analyses how it spreads via free & cracking Software.
#ParsedReport
20-10-2022
Qakbot. QAKBOT malicious code domestic distribution
https://asec.ahnlab.com/ko/40364
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
IOCs:
File: 4
IP: 4
Hash: 3
20-10-2022
Qakbot. QAKBOT malicious code domestic distribution
https://asec.ahnlab.com/ko/40364
Threats:
Qakbot
Bumblebee
Icedid
Malware/win.possible_smhpqakbottha.r525663
Industry:
Financial
IOCs:
File: 4
IP: 4
Hash: 3
ASEC BLOG
Qakbot 악성코드 국내 유포 중 - ASEC BLOG
ASEC 분석팀은 지난 9월에 소개했던 Qakbot 악성코드가 국내 사용자를 대상으로 유포 중인 것을 확인하였다. ISO 파일을 이용한 점을 포함한 전체적인 동작 과정은 기존과 유사하지만, 행위 탐지를 우회하기 위한 과정이 추가되었다. 먼저, 국내 사용자를 대상으로 유포된 이메일은 아래와 같다. 해당 메일은 기존 정상 메일을 가로채 악성 파일을 첨부하여 회신한 형태로, 이전에 블로그를 통해 소개했던 Bumblebee 와 IceID 의 유포 과정과 동일하다.…
#ParsedReport
20-10-2022
Phishing Campaign Targeting the Saudi Government Service Portal, Absher
https://cloudsek.com/threatintelligence/phishing-campaign-targeting-the-saudi-government-service-portal-absher/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-targeting-the-saudi-government-service-portal-absher
Industry:
Government
20-10-2022
Phishing Campaign Targeting the Saudi Government Service Portal, Absher
https://cloudsek.com/threatintelligence/phishing-campaign-targeting-the-saudi-government-service-portal-absher/?utm_source=rss&utm_medium=rss&utm_campaign=phishing-campaign-targeting-the-saudi-government-service-portal-absher
Industry:
Government
Cloudsek
Phishing Campaign Targeting the Saudi Government Service Portal, Absher | Threat Intelligence | CloudSEK
Multiple phishing domains impersonating Absher, the Saudi government service portal. Domains provide fake services to the citizens and steal their credentials.
#ParsedReport
20-10-2022
An In-Depth Look at Russian Threat Actor, Killnet
https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-russian-threat-actor-killnet
Actors/Campaigns:
Killnet (motivation: hacktivism, financially_motivated)
Nb65 (motivation: hacktivism)
Bluehornet (motivation: hacktivism)
Sandworm
Fancy_bear
Xaknet
Vice_society
Threats:
Hermeticwiper
Whispergate
Revil
Credential_harvesting_technique
Industry:
Energy, Aerospace, Financial, Government
Geo:
France, Russian, Latvia, German, Germany, Estonia, Russia, Lithuanias, Kaliningrad, Polish, Poland, Romania, Ukrainian, Ukraine, Lithuania
IOCs:
IP: 60
Softs:
telegram
20-10-2022
An In-Depth Look at Russian Threat Actor, Killnet
https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-russian-threat-actor-killnet
Actors/Campaigns:
Killnet (motivation: hacktivism, financially_motivated)
Nb65 (motivation: hacktivism)
Bluehornet (motivation: hacktivism)
Sandworm
Fancy_bear
Xaknet
Vice_society
Threats:
Hermeticwiper
Whispergate
Revil
Credential_harvesting_technique
Industry:
Energy, Aerospace, Financial, Government
Geo:
France, Russian, Latvia, German, Germany, Estonia, Russia, Lithuanias, Kaliningrad, Polish, Poland, Romania, Ukrainian, Ukraine, Lithuania
IOCs:
IP: 60
Softs:
telegram
Avertium
An In-Depth Look at Russian Threat Actor, Killnet
Russian hacktivists like Killnet are making threats against and attacking not only Ukraine, but the U.S. as well.
#ParsedReport
20-10-2022
New Prestige ransomware impacts organizations in Ukraine and Poland
https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland
Actors/Campaigns:
Dev-0960
Threats:
Prestige_ransomware
Minidump_tool
Hermeticwiper
Arguepatch_loader
Killdisk
Impacket_tool
Winpeas_tool
Cryptopp_tool
Industry:
Transport, Logistic
Geo:
Ukraine, Russian, Poland
IOCs:
File: 7
Path: 3
Hash: 3
Softs:
microsoft 365 defender, active directory, windows scheduled task, mssql windows service, psexec, microsoft defender, microsoft defender for endpoint
Win API:
Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection
Win Services:
MSSQLSERVER
Links:
20-10-2022
New Prestige ransomware impacts organizations in Ukraine and Poland
https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland
Actors/Campaigns:
Dev-0960
Threats:
Prestige_ransomware
Minidump_tool
Hermeticwiper
Arguepatch_loader
Killdisk
Impacket_tool
Winpeas_tool
Cryptopp_tool
Industry:
Transport, Logistic
Geo:
Ukraine, Russian, Poland
IOCs:
File: 7
Path: 3
Hash: 3
Softs:
microsoft 365 defender, active directory, windows scheduled task, mssql windows service, psexec, microsoft defender, microsoft defender for endpoint
Win API:
Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection
Win Services:
MSSQLSERVER
Links:
https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yamlMicrosoft Security Blog
New “Prestige” ransomware impacts organizations in Ukraine and Poland | Microsoft Security Blog
The Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a novel ransomware campaign attributed to IRIDIUM targeting organizations in the logistics and transportation industry in Ukraine and Poland utilizing a previously unidentified ransomware…
#ParsedReport
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
21-10-2022
Venus ransomware targets remote desktop services
https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services
Threats:
Venus_locker
Chaos
Softs:
remote desktop services
Malwarebytes
Venus Ransomware targets remote desktop services
We take a look at reports of Venus ransomware targeting remote desktop services/RDP.
#ParsedReport
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
21-10-2022
Attackers Abusing Various Remote Control Tools
https://asec.ahnlab.com/en/40263
Actors/Campaigns:
Kimsuky
Darkside
Ta505
Threats:
Anydesk_tool
Remcos_rat
Teamviewer_tool
Metasploit_tool
Avemaria_rat
Sbit_rat
Redline_stealer
Nanocore_rat
Gh0st_rat
Asyncrat_rat
Quasar_rat
Nukesped_rat
Appleseed
Cobalt_strike
Meterpreter_tool
Conti
Todesk_tool
Rudesktop_tool
Smokeloader
Ammyyadmin_tool
Flawedammyy
Mimikatz_tool
Clop
Sweetpotato_tool
Tightvnc_tool
Tigervnc_tool
Tinynuke
Hvnc_tool
Hiddenvnc_tool
Tmate_tool
Xmrig_miner
Tsunami_botnet
Hildegard
Radmin_tool
Malware/mdp.download.m1197
Bazarbackdoor
Industry:
Financial
Geo:
Russian, Chinese
IOCs:
File: 3
Hash: 2
Url: 6
Softs:
ms-sql
Functions:
SetWindowsTextW
ASEC
Attackers Abusing Various Remote Control Tools - ASEC
Attackers Abusing Various Remote Control Tools ASEC
#ParsedReport
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
21-10-2022
GuLoader Malware Disguised as a Word File Being Distributed in Korea
https://asec.ahnlab.com/en/40283
Threats:
Cloudeye
Formbook
Redline_stealer
Agent_tesla
Trojan/win.agent.c5275941
Geo:
Korea, Korean
IOCs:
Url: 1
File: 1
Path: 1
Hash: 2
Algorithms:
xor
Functions:
API
ASEC
GuLoader Malware Disguised as a Word File Being Distributed in Korea - ASEC
The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is…
#ParsedReport
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
21-10-2022
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft
https://socradar.io/ursnif-malware-moving-to-ransomware-operations-from-bank-account-theft
Threats:
Gozi
Industry:
Financial, Telco
IOCs:
File: 3
Hash: 28
Domain: 28
IP: 30
Softs:
windows registry
Platforms:
x64
SOCRadar® Cyber Intelligence Inc.
Ursnif Malware Moving to Ransomware Operations from Bank Account Theft - SOCRadar® Cyber Intelligence Inc.
Ursnif (a.k.a. Gozi), a former banking trojan, has been repurposed as a generic backdoor. Threat actors could use the new variant to distribute
#ParsedReport
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
21-10-2022
Trends in Web Threats: Old Web Skimmer Still Active Today
https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer
Industry:
Financial
Geo:
Japan, Emea, America, Africa, Russia, Germany, Australia, Apac
IOCs:
Domain: 3
File: 2
Url: 1
IP: 4
Hash: 2
Languages:
javascript
YARA: Found
Unit 42
Trends in Web Threats: Old Web Skimmer Still Active Today
We examine trends in web threats for the first quarter of 2022, including an old web skimmer that is still active five years later.
#ParsedReport
21-10-2022
ASEC (20221010 \~ 20221016). ASEC Weekly Malware Statistics (20221010 \~ 20221016)
https://asec.ahnlab.com/ko/40440
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
php, visual_basic
21-10-2022
ASEC (20221010 \~ 20221016). ASEC Weekly Malware Statistics (20221010 \~ 20221016)
https://asec.ahnlab.com/ko/40440
Threats:
Smokeloader
Smokerloader
Agent_tesla
Azorult
Cloudeye
Postealer
Formbook
Remcos_rat
Nanocore_rat
Beamwinhttp_loader
Garbage_cleaner
Clipboard_grabbing_technique
Industry:
Transport
Geo:
Korea
IOCs:
File: 22
Domain: 10
IP: 3
Email: 5
Url: 20
Softs:
discord, nsis installer
Languages:
php, visual_basic
ASEC BLOG
ASEC 주간 악성코드 통계 (20221010 ~ 20221016) - ASEC BLOG
ASEC 분석팀에서는 ASEC 자동 분석 시스템 RAPIT 을 활용하여 알려진 악성코드들에 대한 분류 및 대응을 진행하고 있다. 본 포스팅에서는 2022년 10월 10일 월요일부터 10월 16일 일요일까지 한 주간 수집된 악성코드의 통계를 정리한다. 대분류 상으로는 다운로더가 44.4%로 1위를 차지하였으며, 그 다음으로는 인포스틸러 악성코드가 41.7%, 백도어 12.5%, 랜섬웨어 0.9%, 코인마이너가 0.5%로 집계되었다. Top1. SmokeLoader…
#ParsedReport
21-10-2022
OnionPoison: YouTube Channels spreading malicious TOR browsers installers
https://www.secureblink.com/threat-research/onion-poison-you-tube-channels-spreading-malicious-tor-browsers-installers
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
Hash: 9
File: 9
Registry: 1
Domain: 1
Softs:
visual studio, google chrome, wechat
Algorithms:
aes, xor, hmac-sha1, base64, aes-128, hmac
Win API:
RtlDecompressBuffer
21-10-2022
OnionPoison: YouTube Channels spreading malicious TOR browsers installers
https://www.secureblink.com/threat-research/onion-poison-you-tube-channels-spreading-malicious-tor-browsers-installers
Actors/Campaigns:
Onionpoison
Threats:
Onionduke
Geo:
China, Chinese
IOCs:
Hash: 9
File: 9
Registry: 1
Domain: 1
Softs:
visual studio, google chrome, wechat
Algorithms:
aes, xor, hmac-sha1, base64, aes-128, hmac
Win API:
RtlDecompressBuffer
Secureblink
OnionPoison: YouTube Channels spreading malicious TOR browsers installers | Secure Blink
OnionPoison involved in wild infection chain of TOR Browser installer spread via YouTube channels
#ParsedReport
21-10-2022
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Actors/Campaigns:
Blackmatter
Blackcat
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Exmatter_tool
Lockbit
Ryuk
Stealbit
Proxyshell_vuln
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 16
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
Softs:
microsoft exchange
Win API:
IsDebuggerPresent, CheckRemoteDebuggerPresent
YARA: Found
Links:
21-10-2022
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Actors/Campaigns:
Blackmatter
Blackcat
Threats:
Exbyte_stealer
Blackbyte
Megadumper_tool
Ollydbg_tool
Windbg_tool
Exmatter_tool
Lockbit
Ryuk
Stealbit
Proxyshell_vuln
Proxylogon_exploit
Adfind_tool
Anydesk_tool
Netscan_tool
Powerview
Edrsandblast_tool
Vssadmin_tool
Conti
Revil
CVEs:
CVE-2021-34523 [Vulners]
Vulners: Score: 7.5, CVSS: 3.4,
Vulners: Exploitation: True
X-Force: Risk: 9
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-34473 [Vulners]
Vulners: Score: 10.0, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
CVE-2021-27065 [Vulners]
Vulners: Score: 6.8, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 7.8
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2016, 2016, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-26855 [Vulners]
Vulners: Score: 7.5, CVSS: 2.8,
Vulners: Exploitation: True
X-Force: Risk: 9.1
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2016, 2016, 2013, 2016, 2016, 2013, 2016, 2019, 2013, 2016, 2016, 2016, 2016, 2016, 2016, 2016, 2019, 2019, 2019, 2019, 2019, 2019, 2019, 2019)
CVE-2021-31207 [Vulners]
Vulners: Score: 6.5, CVSS: 1.7,
Vulners: Exploitation: True
X-Force: Risk: 6.6
X-Force: Patch: Official fix
Soft:
- microsoft exchange server (2013, 2019, 2016, 2016, 2019)
IOCs:
File: 16
Command: 15
Path: 1
IP: 1
Hash: 15
Url: 7
Softs:
microsoft exchange
Win API:
IsDebuggerPresent, CheckRemoteDebuggerPresent
YARA: Found
Links:
https://github.com/wavestone-cdt/EDRSandblastSecurity
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.
#ParsedReport
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
21-10-2022
WarHawk: the New Backdoor in the Arsenal of the SideWinder APTGroup. Key Features of this Attack
https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0
Actors/Campaigns:
Sidewinder (motivation: cyber_espionage)
Lazarus
Threats:
Warhawk
Cobalt_strike
Process_injection_technique
Finfisher
Beacon
Industry:
Government, Energy
Geo:
Indian, Pakistan, Asia
TTPs:
Tactics: 5
Technics: 9
IOCs:
Domain: 9
File: 16
Url: 7
IP: 2
Hash: 7
Algorithms:
base64
Functions:
GetCurrentHWProfileA, HTTPSendRequestW, wsprintf, URLDownloadToFileA
Win API:
RtlAudioDriver, LoadLibraryA, GetUserNameA, GetProcAddress, GetCurrentHwProfileA, GetComputerNameA, InternetReadFile, RegQueryValueExA, ShellExecuteA, LoadLibrary, have more...
Languages:
php
Zscaler
WarHawk: New APT backdoor from SideWinder | Zscaler
SideWinder APT, an Indian threat group, has been targeting Pakistan in threat campaigns using a new backdoor called "WarHawk." Read the ThreatLabz analysis.
#ParsedReport
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
21-10-2022
Mirai, RAR1Ransom, and GuardMiner Multiple Malware Campaigns Target VMware Vulnerability
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
Threats:
Mirai
Rar1ransom
Guardminer
Xmrig_miner
CVEs:
CVE-2022-22947 [Vulners]
Vulners: Score: 6.8, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 10
X-Force: Patch: Official fix
Soft:
- vmware spring cloud gateway (3.1.0, <3.0.7)
- oracle commerce guided search (11.3.2)
- oracle communications cloud native core network slice selection function (1.8.0, 22.1.0)
- oracle communications cloud native core network repository function (1.15.0, 1.15.1, 22.2.0, 22.1.2)
- oracle communications cloud native core network function cloud native environment (1.10.0)
have more...
CVE-2022-26134 [Vulners]
Vulners: Score: 7.5, CVSS: 6.8,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- atlassian confluence data center (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
- atlassian confluence server (7.18.0, <7.17.4, <7.16.4, <7.15.2, <7.14.3, <7.13.7, <7.4.17)
CVE-2022-22954 [Vulners]
Vulners: Score: 10.0, CVSS: 3.7,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- vmware identity manager (3.3.3, 3.3.4, 3.3.5, 3.3.6)
- vmware vrealize automation (7.6, le8.6)
- vmware workspace one access (20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0)
- vmware vrealize suite lifecycle manager (le8.2)
- vmware cloud foundation (le4.3.1)
have more...
CVE-2018-7600 [Vulners]
Vulners: Score: 7.5, CVSS: 7.4,
Vulners: Exploitation: True
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- drupal (le7.57, <8.3.9, <8.4.6, <8.5.1)
- debian debian linux (9.0, 8.0, 7.0)
have more...
IOCs:
Url: 1
Domain: 3
IP: 1
File: 7
Hash: 10
Softs:
vmware workspace one, curl, process explorer
Algorithms:
xor
Links:
https://github.com/chaitin/xray/releasesFortinet Blog
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and t…
#ParsedReport
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
23-10-2022
Alert (AA22-294A)
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
Threats:
Daixin
Passthehash_technique
Babuk
Daxin
Industry:
Financial, Iot, Healthcare
Geo:
Canada, Australia
TTPs:
Tactics: 7
Technics: 10
IOCs:
Hash: 5
Softs:
esxi, rclonean
Links:
https://github.com/cisagov/cset/releases/tag/v10.3.0.0www.cisa.gov
#StopRansomware: Daixin Team | CISA
Actions to take today to mitigate cyber threats from ransomware: • Install updates for operating systems, software, and firmware as soon as they are released. • Require phishing-resistant MFA for as many services as possible. • Train users to recognize and…
#ParsedReport
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
24-10-2022
Broken Dreams and Piggy Banks: Pig Butchering Crypto Fraud Growing Online
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Threats:
Pig_butchering
Industry:
Education, Petroleum, Financial
Geo:
Chinese, Cambodia, China, Asia
IOCs:
Domain: 46
Softs:
telegram, coinbase, discord
Proofpoint
Pig Butchering Crypto Scam (Sha Zhu Pan) on the Rise | Proofpoint US
Proofpoint is tracking threats known as Sha Zhu Pan, or "Pig Butchering" scam. Learn all about the pig butchering crypto scam growing online.
#ParsedReport
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
24-10-2022
Attacking Very Weak RC4-Like Ciphers the Hard Way. What?
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-the-hard-way
Threats:
Knot
Algorithms:
rc4, xor
Check Point Research
Attacking Very Weak RC4-Like Ciphers the Hard Way - Check Point Research
What? RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream…
#ParsedReport
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
24-10-2022
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
https://www.sentinelone.com/blog/how-kerberos-golden-ticket-attacks-are-signaling-a-greater-need-for-identity-based-security
Threats:
Golden_ticket_technique
Mimikatz_tool
Dcsync_technique
Lsadump_tool
Softs:
active directory, local security authority, azure ad
SentinelOne
How Kerberos Golden Ticket Attacks Are Signaling a Greater Need for Identity-Based Security
Explore the concept of Golden Ticket Attacks, how they are used by attackers, and strategies to detect and prevent them for enhanced cybersecurity.
#ParsedReport
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
24-10-2022
BYOVD. Rajarus attack group's malware infection case that disables vaccine programs with BYOVD techniques
https://asec.ahnlab.com/ko/40495
Actors/Campaigns:
Lazarus
Threats:
Byovd_technique
Watering_hole_technique
Lazardoor
Lazarshell
Lazarloader
Trojan/win.agent
Putty_tool
Plink
Industry:
Chemical
Geo:
Korea
CVEs:
CVE-2021-26606 [Vulners]
Vulners: Score: 10.0, CVSS: 3.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- dreamsecurity magicline4nx.exe (le1.0.0.17)
IOCs:
Hash: 16
IP: 13
Url: 1
File: 6
ASEC BLOG
BYOVD 기법으로 백신 프로그램을 무력화하는 라자루스 공격 그룹의 악성코드 감염 사례 - ASEC BLOG
2022년 4월 안랩은 ASEC 블로그 (INITECH 프로세스를 악용하는 라자루스 공격 그룹의 신종 악성코드, https://asec.ahnlab.com/ko/33706)에서 라자루스 공격 그룹이 악성코드 감염을 위해 INITECH 프로세스를 악용한다는 내용을 소개했다. 본 글에서는 라자루스 공격 그룹이 워터링 홀 기법을 통해 시스템 해킹에 성공 후 내부 네트워크 내의 시스템들을 추가로 해킹하기 위해 드림시큐리티사의 MagicLine4NX 제품의 취약점을…
#ParsedReport
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
24-10-2022
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication
https://cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication/?utm_source=rss&utm_medium=rss&utm_campaign=multiple-rce-vulnerabilities-affecting-veeam-backup-replication
Threats:
Empire_loader
Monti
Yanluowang
CVEs:
CVE-2022-26501 [Vulners]
Vulners: Score: 10.0, CVSS: 2.0,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (<10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26500 [Vulners]
Vulners: Score: 6.5, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 9.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
CVE-2022-26504 [Vulners]
Vulners: Score: 9.0, CVSS: 7.4,
Vulners: Exploitation: Unknown
X-Force: Risk: 8.8
X-Force: Patch: Official fix
Soft:
- veeam backup \& replication (9.5.0.1536, 9.5.4.2615, <10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, 10.0.1.4854, <11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261, 11.0.1.1261)
TTPs:
Tactics: 3
Technics: 0
IOCs:
File: 3
Hash: 3
IP: 1
Softs:
hyper-v
Languages:
python
Links:
https://github.com/sadshade/veeam-credsCloudsek
Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication | Threat Intelligence | CloudSEK
Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.